On Sep 17, Citrix released CTX281474 article. There are in total three vulnerabilites found which are fixed by new firmware.
The following vulnerabilities are addressed here:
- CVE-2020-8245, an html injection attack against SSL VPN portal,
- CVE-2020-8246, a Denial-of-Service attack originating from the management network,
- CVE-2020-8247, a escalation of privileges on the management interface.
The latter two attackes are against MGMT (which is NOT exposed to the Internet, hopefully!) and the html injection one requires the user to open a bad link from an attacker. Anyway, we should update our Citrix Gateways and ADCs again.
The issues are fixed by these firmware versions:
- Citrix ADC and Citrix Gateway 13.0-64.35 and later
- Citrix ADC and NetScaler Gateway 12.1-58.15 and later
- Citrix ADC 12.1-FIPS 12.1-55.187 and later
- Citrix ADC and NetScaler Gateway 11.1-65.12 and later.
The same vulnerabilities where also found with Citrix SD-WAN WANOP Edition (not vWAN / Standard Edition). Please see CTX281474 for details.
Reminder: Citrix ADC / Gateway 12.0 is approaching end of live (EOL) on Oct 30, 2020!